It’s coming home…but is it real?

After 18 months of restrictions, regulations and down right misery for many in England, the performance of the England National Football Team in the European Championships has been a source of escapism for many and downright joy and national pride for the rest. In case you didn’t already know, It’s coming home* this week. Should England overcome Denmark at Wembley on Wednesday night they will face a final in London on Sunday night against either Italy, the favourites, and previous winners, Spain. It’s a tough ask, but the team under the management of Gareth Southgate, has given the nation hope at a time when it was seriously lacking. Good times indeed. But good times also bring bad people out in force, looking to exploit the situation and profit from the opportunity.

The interest and support for the England team has led to unprecedented demand both for tickets for games to see them play at Wembley and for replica shirts. Prior to the tournament, an official Nike England shirt (adult size) would cost a minimum of £70, and there was stock with most of the online retailers. Three weeks later and it is almost impossible to find one in the same stores.

That is excellent news for Nike, the manufacturer, the retailers and also the Football Association who will also get a cut from each sale. But it is also excellent news for the scammers and counterfeiters who will play on that increased demand and limited supply to fill the vacuum. There have been adverts on social media in recent weeks, carefully designed to say they aren’t selling the actual Nike replica shirts, but using language and imagery that suggests they are. Many of these stores will be genuine, but the products not what people are expecting. But there will also be online retailers who are offering what appears to be the genuine items but nothing will ever arrive – they have been scammed out of personal and financial information. That is hardly a feel-good moment. Unfortunately, it doesn’t take much searching to find websites selling the shirts at what appears to be too good to be true pricing (search “cheap England replica shirt” and see for yourself), whilst a search on some of the more popular market place websites review very cheap products, but using imagery from the back which means the images avoid detection from brand recognition software and also allows the sellers to ship low quality goods.

The cheap and often infringing merchandise situation is nothing new. In the US, Operation Team Player is the annual crackdown on merchandise around the Super Bowl. In the days leading up to the last Super Bowl in Tampa in February 2021, over 169,000 counterfeit items, with a street value of $44 million were seized. The war on counterfeits continues, fuelled by rampant demand for products such as the replica shirts.

It isn’t only fake merchandise which will cause issues in the next week for football fans. Whilst the number of fans allowed into Wembley has increased as social distancing regulations have been relaxed, the 90,000 capacity stadium will not be full, which means tickets will be at an extra premium. The face value price for tickets for the Final on Sunday range from £250 to approximately £815. Ticket resale websites are selling them from £1,800 per ticket up to £15,000.

If England do beat Denmark then demand for a place at Wembley for the team’s biggest game in over 50 years will be huge. The good news is that Covid-19 has meant that paper tickets have been replaced by e-tickets, which can be transferred securely via the UEFA App, so the sight of ticket touts/scalpers, on the way to the stadium with fistfuls of tickets is thankfully a thing of the past. However, like genuine buyers, they too have gone digital and will claim to be able to transfer tickets immediately to a willing buyer.

With entry on digital devices by QR Codes, the danger is that rather than tickets being sold, they are screenshots of a genuine ticket, sold multiple times, which can only be verified as genuine on arrival at the stadium and presentation of the QR code. If it has already been used, then access will be denied, meaning someone could have paid a huge sum for what appears to be a genuine ticket, only to find out at the last minute it is counterfeit.

Unfortunately, there is very little that can be done to stop this happening – should England lose to the Danes then that is one way whereby demand will fall very quickly, but even then tickets will be changing hands about face value for the final.

The message hasn’t changed – if something looks too good to be true it probably is, whether that is an England shirt for a big discount or tickets to the sold out final. Whilst we all want to play our part in supporting our nation in what could be our biggest and most successful week of football since 1966, we also need to be pragmatic enough not to be part of the problem fuelling intellectual property infringements and making the lives of the fraudsters easier and richer.

Enjoy the games and Come On England!

And yes, I do believe It’s Coming Home*

*It’s coming home is the opening line to a song, first released back in 1996 by Frank Skinner, David Baddiel and The Lightning Seeds for the 1996 European Championships held in England, and re-released two years later for the 1998 World Cup. Unfortunately, England didn’t manage to bring the trophy home on either occasion, nor at any subsequent tournament they have taken part in.

I’m fairy sure these are fakes….

How scammers use pictures of the real deal to trick online shoppers into parting with their cash

We are not in the business of selling cars, we sell dreams

A picture says a thousand words, so the saying goes, but what if the picture in question is fake, or the picture is real but the product, service or solution doesn’t exist?

One of the major selling points for any online merchant today is to have good imagery. In most instances we want to look at what we are buying, or who we are engaging with, from different angles, as well as reading genuine reviews. You don’t have to go far searching online for tales of woe of where reality is a very different world to what was advertised online, whether that is hotels, cars, clothes or even dates.

But there is a growing trend of fraudsters using images and product descriptions of genuine small businesses, riding off the back of their hard work in building their business then undercutting them and defrauding customers. Not only does this damage the revenues of the genuine businesses but it can also impact negatively on their reputations.

One small business that has seen this happen too often is FantasyWire, so much so that they now have clear warnings on their website that they do not advertise on Social Media and any similar products being advertised and sold are fakes. The artist behind the creations, Robin Wight, has taken years to grow his business only to see fraudsters look to profit from his intellectual property. The most common ruse used is to use Facebook Ads with a picture of a genuine work of Robin’s then direct potential buyers off onto a website to take payment, although the products can also been found on Amazon too (search “fairy wire sculptures”)

The commissioned art that FantasyWire sell starts from around £15,000, whilst the scammers offer their “products” for less than £50 – that in itself should be a major warning sign for any potential customer. If someone does buy one then at best they will get a sub-standard product that is nothing like the photos being used, or at worst they will receive nothing and their personal and financial details will be used in further exploits.

Whilst the artist can report the fake ads to the Social Media networks and the marketplace sites, he has to do each one individually. “They’re asking me to report every leaf off a tree and I’m trying to report a forest”, Wright told the BBC about the issue he faced not only on the fake ads but the overwhelming number of them.

For small businesses, a formal brand protection strategy may be too costly, although where there is clear evidence of damage to revenues and reputation the return on investment is worthwhile. However, one less formal way small businesses can get an idea who is using their IP, such as pictures of products in ads, is to use Google Image Search, where you can upload a picture and Google will search for where it is being used online. It isn’t foolproof but it is free and easy to use, with results appearing immediately and will give businesses an idea on the extent of the issue they face. Social Media networks and market place platforms need to do more to protect brand holders, especially in how they can report clear infringements. It is all too easy for fraudsters to set up their online presence, create fake ads and start defrauding people.

Naturally, we are all after a bargain, but somethings things are simply too good to be true and it pays to do a bit of research before parting with your cash. Not everything is what it seems online and whilst many of us lose our natural skepticism when we are using Social Media, it pays to be cautious – not only are you protecting yourself, but the owner of the real intellectual property and potentially other online shoppers too.

More details of the story can be found on this article by the BBC.

Interview techniques

Having spent the last few months looking at opportunities in the market place, I am getting familiar with the tactics used by organisations to “streamline” the process. The last time I was looking for work was sixteen years ago when LinkedIn had just started to be a thing and the reliance was on searching print media for job openings as well as some of the bigger online recruiters. Most insisted on a face to face interview to discuss your cv, your job ambitions and what potential openings they had.

Today, it has all changed. It is now very easy for a company to post a position online, create an automated process and quickly create short-lists based on algorithms, AI and automation. The consequence is that far more applicants are applying for each job listed, because the odds of making a short-list have been significantly reduced as the filtering based on a cv or a LinkedIn profile can be done by computers in seconds. Consequently, with in many instances the human element in the initial job search being removed, more applicants apply, creating a catch 22 situation.

In the excitement to find an interesting role that ticks as many boxes as it can, we are often prepared to give away more personal information than is often needed. But we do so because the prize is so worthwhile. Except, what if there isn’t a job? What if the ad posted online is simply an elaborate phishing scheme to get candidates to share personal data that could be used for their financial gain?

Employment/Recruitment scams are nothing new. They have been with us for many years and have cost some victims thousands of pounds. There have been cases of individuals selling up and moving their families to a new country because they have a new role only to find on day one that there was never a job and the fees they paid to sort out visas or short-term accommodation have been pocketed by fraudsters. But the acceptance of our digital lives today has led us to be less cautious when it comes to giving out personal details.

It would take a fraudster a matter of minutes to create a fake company profile on Social Media, adding in a few exotic office locations, a fictitious management team and of course, some interesting open vacancies as the company looks to expand into new markets. Applicants for the roles need to submit CVs, a cover letter and complete a suitability questionnaire, all designed to glean information that could be resold on, or used by the fraudsters themselves to lure the candidate deeper into their web of lies.

Sounds far fetched? Well, have a read of this article, written by security expert Brian Krebs who reports on just this type of scam taking place a few weeks ago. This is just one example of a practice that is still far too common, especially as it looks to exploit those who may be in desperate need of employment. We need to take as many cautionary steps when seeking a new role as we do when buying from an unknown online store, or responding to a dubious text or WhatsApp message, and be especially wary if the firm approaches you cold, with an amazing offer of employment.

It doesn’t take much to determine whether a job opening is real or not. Whilst many of us will use LinkedIn or popular job sites such as Indeed, most firms will also list the roles on their own websites. So a starting point is to check to see if the role exists there. Still unsure about the company? When did they register their domain name – if it appears very recent and through a proxy registration that should be a red flag. Look at their address on an online map – does it appear to be real? When you search for the address, what companies are listed? Use tools such as Glassdoor to check on what current and former employees say about the business. Also, search for key individuals on LinkedIn – do they appear to be genuine?

The global economy is still in a state of flux and with economic support for many firms slowly being reduced, the employment market is likely to hot up again. A major “supply” of available people will ultimately increase the demand on vacant positions, and the one thing we know from the world of the fraudsters is when demand increases, so too does fraud.

Fliking raising its ugly head again

Back in 2016, the growing issue of fake reviews being offered for sale became a major concern for market place websites, who vowed to clamp down on the unethical, and in many places, illegal practice. Fliking” (fake liking) became a trend that was an issue not only for the market places but the brand holders and consumers.

Fliking (Fl-ike-ing) is my word for this practice. Meaning to solicit or buy social media likes, tweets or positive reviews….or simply fraud. Paying someone to say something that could be untrue can be classed as misleading, false advertising or fraudulent.

Despite the efforts from the major marketplaces, the issue still exists as highlighted in a new report by Which? The consumer group found 10 websites selling fake reviews from £5 each and incentivising positive reviews in exchange for payment or free products.

Just over two years ago, another Which? report highlighted the issue of fake reviews and how they were being used to trick consumers. Eighteen months ago they updated that report, sharing the truth that very little had changed. Unfortunately, as their most recent report shows, the unethical practice is still happening on the major marketplaces today.

Because our relationships with brands and marketplaces changed so much over the last year thanks to enforced restrictions and lockdown we face. We now rely on online shopping more so than ever and, more importantly, have had to adapt to communicating with others through technology rather than in person. That has led to a rise in people seeking reviews and opinions before they make purchases. Social media expert Erik Qualmann found in a study that over 90% of shoppers are influenced by Social Media and trust peer recommendations over adverts. In Which? survey of more than 2,000 UK adults in 2018, 97% use online customer reviews when researching a product. The Competition and Markets Authority (CMA) estimates that over £23 billion per annum of UK consumer spending is influenced by online customer reviews.

So why is this an issue? Fake reviews leads to consumers buying products that may be poor quality, or may not even exist at all. The more positive reviews a product gets, the higher ranked it may appear on some market place sites, and thus starts a Catch22 situation. Consumers could end up buying products that are sub-standard or even dangerous based on the fake reviews. Any brand holder will tell you that one of the keys to a successful Social Media strategy is getting your message in front of the right people at the right time. Whilst they will use social media or peer review sites to great effect, so too do the fraudsters.

The Which? report found that these weren’t small organisations who were offering the fake reviews. One of the businesses they researched had more than 700,000 reviewers on their books, who are offered incentives such as payments, free or discounted products and the opportunity to take part in loyalties schemes.

The big market place sites such as Amazon go to great lengths to try to spot and stop fake reviews but with so many products offered on one of the world’s biggest websites it is an ongoing, uphill battle. We, as consumers need to play our part in the fight against this unethical and illegal practice. We need to be on the lookout for some tell-tale signs that could reveal products that have fake reviews. These could include:

  • Too many 5-star, positive reviews – Be cautious of products that aren’t household names that have a plethora of overly positive reviews, especially if they have been added in a short period of time. Even great products will have some 3 or 4 star reviews.
  • Copycat reviews – Look for common language in reviews which could suggest that they are template reviews.
  • Look for verified purchases – On many websites actual product purchasers who submit a review are annotated as being “verified”. Whilst this isn’t a fool-proof method of identification, fake reviewers do not tend to buy the products in the first place.
  • Check the reviewers profile – If you are unsure about a review, look at the reviewers profile and see what other products they have been reviewing. Few people will spend all day adding reviews unless they are being incentivised to do so.
  • If it looks too good to be true – The final test is the most basic. If a review doesn’t sit right with you, pass on by.

It is an unfortunate byproduct of our thirst for a bargain and our reliance on online marketplace websites that fraudsters continue to find ways to cause brand holders and consumers issues. Fliking is another example of how criminals have adapted their behaviours to take advantage of the current economic situation, one which consumers need to be aware of and prepared to take an additional step to ensure that they stay safe and secure when shopping online.

Do I not Like that?

Last week we looked at the increasing trend on Social Media for scammers to use multiple domain names for the same adverts. But that isn’t the only approach that those who want to steal our personal and financial information use. Let’s look this week at how the bad actors play on our incessant need to grab a bargain.

But first we need to make a very important, clear statement. Despite what you may see, it is very rare for major brands to give away something in exchange for a like, share, comment or retweet. It doesn’t matter how benevolent they may seem, you need to ask yourself one simple question before you engage. Why?

In our COVID-driven, recession-fuelled need for a bargain, we often leave sense at the door when it comes to giving away our personal and financial details online. There is a belief that if there is a logo in an advert it is genuine. Social Media wouldn’t let anyone pretending to be someone else advertise on their network after all, right?

Wrong. Fraudsters use exactly the same methods to win “customers” as genuine brands, whether that is via SEO, email marketing, cold calling and extensive use of social media. Many platforms allow advertisers, whether they have good intentions or not, to target their adverts to have the most impact or return on investment. They use a strategy to grab attention, create interest and then watch their offers grow as unassuming social media users share the information among their networks, creating multi-layers of opportunity from one initial, low cost, advert.

Let’s take the advert below as an example. For those who aren’t aware, Argos is an established High Street brand in the UK that sells a wide range of goods through their stores. You can go online, choose the products you want and either have them delivered or collect in store. However, they would never choose to advertise in this way.

For starters, let us ignore the poor grammar and spelling but concentrate on the offer. Argos has 50 “Curved” TVs. The picture shows they are Samsung TVs. Why not say that for a start? Perhaps because the word Samsung would be picked up by the Social Media platform as a brand name and be more likely to be scrutinised.

Secondly, why would Argos be prepared to give them away. What is stopping them selling them? If there was little damage, why wouldn’t they sell them as such? Retailers also have insurance that covers for stock damage which for 50 TVs would be worth a few thousand pounds.

Third. Why do you think the only criteria is to share and like the post? Because by liking and sharing it give authenticity to the offer. If 2,000 people like something it doesn’t sound fishy at all. They have 50 to give away and so it becomes very easy to choose 50 (or almost certainly more than 50) at random from the likes to give the TV’s away to. Except they aren’t giving them away totally for free. In scams like this you will be asked to pay a delivery or an admin/insurance/warranty fee – maybe something small like £50 but if 100 people are all doing the same, there is a nice profit from a small ad at minimal cost. Naturally, there isn’t any TV and once the money has been paid, the “brand” will disappear.

Looking at the advert itself is enough to surely make you realise all is not well. The spelling (aloud rather than allowed, fulling instead of fully) and the grammar (capital R in Returned, TV’s rather than TVs) would not pass inspection with any brands who were advertising on or off line, whilst there is no branding in the photos that would back up this was a genuine offer.

Major brands do not offer goods and services this way. Whilst we may want to believe it is true and the general altruistic values they may have, there is no value for them in doing this.

The more people that do engage, like and share, the more the fraudsters will continue with their nefarious campaigns. We all have a part to play in this. Always question why a brand may be offering such deals, bargains or the like and remember, if it looks too good to be true, it probably is!

Money can’t buy you love

Like is or not, the commercialised world we now live in is determined by events in the year. As soon as Christmas is over, the focus is on Easter. Halloween has now become the in-thing whilst every year there seems to be another day of celebration slipped into our conscious by retailers and their marketing teams. One event that is now looming large is Valentine’s Day. For some people this is the opportunity of over-exuberance and lavish gifts to win the hearts of someone. But it is also a big date in the diaries of the fraudsters in trying to part us from our cash.

One industry that has seen the levels of fraud rise as been online dating. As with the way we consume our media, do our shopping and interact with each other, technology has made it easier for us to try to find love, with online apps now catering for all potential suitors. It has never been easier to find love, someone said to me last year and whilst I understand what they are saying, it has also never been easier for a fraudster to break someone’s heart and their savings.

A recent example of the increase in nefarious activity in the online dating world has been an increase in investment-based scams that have started off as online conversations between two people supposedly “looking for love”. INTERPOL has recently brought the subject to the attention of all of its 194 member countries by issuing a Purple Notice outlining a specific modus operandi on dating apps and websites.

The International Criminal Police Organisation have compiled evidence based on reported cases that have used dating websites, with, as they refer to is, an artificial romance being established, trust being built and then sharing details of an investment scheme that they encourage them to take part in. After all, having spent time getting to know each other, sharing personal and potentially intimate details, the long-term prospects of a relationship look good. The fraudsters “sell” the investment scheme, often accessed via an app and continue to encourage further investment.

With many relationships now having to start and grow online due to the restrictions that COVID-19 has placed on us all, the conditions for these scams to fester has never been stronger.

The investment firms have authentic looking websites, domain names that could be using homographs to make them look real ( rather than – looks identical but there is a small ‘l’ rather than a capital ‘I’) and fake reviews that can be bought easily online. Everything looks good until one day the money, the firm and the potential love of their lives just disappears.

INTERPOL’s Financial Crimes unit has received reports of cases from around the world and have also reached out to the more popular apps and websites to ask for their help in raising any flags from users of suspicious looking activity. On Valentine’s Day it is a case of not only considering the “it” but also “they” in the old adage of If it looks too good to be true, it probably is!

Open Sesame

Every year research is carried out and published on the most popular passwords used and every year we all scratch our heads trying to understand the logic in using the ones that appear at the top of the list. The top 10 2020 version still had the same passwords from the 2019. And 2018, 2017, 2016 and so on. It just seems that many of us have issues trying to remember “different” passwords and so go for something easy, such as ‘123456’, still the most used password, or ‘qwerty’, ‘password’ and ‘111111’.

Fortunately, many online portals now have password standards, which force people to create more complex passwords, whilst most smart devices can automatically generate sophisticated 16 character passwords that are stored securely in the cloud.

The National Cyber Security Centre (NCSC) have published the following infographic that provides simple, sensible but above all secure advice on how to change password-setting habits.

It isn’t just our own personal accounts that are at risk. Individual passwords and log in credential for work systems pose a huge risk of compromise for businesses of all sizes. The increase in sophistication and volume of social engineering activity as led to major brands being impacted but it isn’t always us humans who are directly vulnerable.

“Passwords have traditionally been the first line of defense for companies, but they continue to cause frustration and risk,” says John Bennett, general manager of identity and access management at LogMeIn. “Even more, password sharing and reuse remains a common practice in most businesses, with employees reusing one password an average of 13 times.”

In their 2020 Data Breach Report, Verisign found that 70% of data breaches came from an outside source, with password compromise a high entry vector into secure infrastructures. Our willingness to choose simple passwords for work systems significantly increases the likelihood of criminal compromise, the impacts of which can seriously damage a brand’s revenues and reputations.

Having a robust password management policy and process will ensure that many of these risks can be mitigated but individuals still have a role to play in the solution rather than the problem both when they are behind their desk at work or using their personal devices in a personal capacity.

The $500m gift that doesn’t keep on giving

It’s Christmas time which can only mean one thing in the world of cyber security – festive-related scams.  It amazes me how many of my normally sensible friends somehow lose their sense of due diligence when presented with offers that simply look too good to be true on Social Media.

If someone we’d never met before came up to us in the street as we were doing our Christmas shopping and offered us $5,000 simply because they were feeling generous, we’d be very sceptical indeed.  But it appears that if that stranger appears to be a famous brand or a celebrity online, then all sense of precaution goes out of the window.

This week a scam was uncovered on Instagram that beggar’s belief, yet thousands seem to have been hoodwinked into giving away personal details.  Oprah Winfrey has over 40m followers on Twitter and around 11.3m on Instagram and is considered to be one of the most successful media stars in the US.  But would she really be giving away $500m to random followers on Social Media?  Well yes, if you believed the Instagram account @OwnChristmas.  To add some “authenticity” to the giveaway, a doctored Twitter message was added to the page, supposedly showing the promise to give away the cash from Winfrey’s verified Twitter account.

All you needed to do to get the cash was to send OwnChristmas their personal details including bank usernames.  It is unknown how many followed the instructions before the account was identified and removed from Instagram but significant damage could have been done.

It wasn’t only Oprah who was giving away cash to complete strangers – boxer Floyd Mayweather apparently was going to give $1,000 to the first fifty thousand followers of his new Instagram account – all people needed to do was follow him and send him a Direct Message as to how the money was to be paid, or in other words, to give a complete stranger your bank account details.  Whilst Mayweather is a successful sportsman, who motivation would be have to give complete strangers $50million?

Another ‘too good to be true’ offer that I saw this week was a free holiday for four to Hawaii, provided by First Choice on Facebook.  Now, there is a very well-known and successful holiday company called First Choice Holidays that has been operating for years in the UK.  This wasn’t anything to do with them, but the wording of the advert suggested it was something that one of their High Street stores was offering.  All you had to do was ‘like’ the offer, add a positive comment and someone would be in touch to confirm your entry via email.  The ad soon disappeared so we don’t know what the ultimate aim of those behind the scam were – it may have been simply to harvest some personal details that could be sold on, or they may have approach numerous ‘participants’ congratulating them on their win and asking for an admin fee to process the holiday.

Unfortunately, it is all too easy to create scams on Social Media with little in the way of verification of adverts and offers.  Fraudsters also buy Social Media followers and likes to give their online presence a sense of authenticity for a few dollars.  Whilst the window of opportunity is normally limited before a tipping point of complaints force the Social Media networks to remove the offending adverts, all they need are a few to bite and submit personal or even financial details and they will be in significant profit.

Whilst many well-known brands will actively use Social Media to engage with customers, and many will offer competitions to build their social media footprint, they will never ask for information such as bank account details or usernames and passwords.  Always ask yourself if it’s too good to be true, and if it is then it is more than likely to be a scam.

Just because it is the season of giving, do not be one of those who are taken in.

The next technology Big Bang? GDPR in 30 seconds

I’m of an age where I have lived through two major technological events that had business owners in a cold-sweat and vendors rubbing their hands in delight.  As a young sales person working in the telecommunications industry for one of the biggest global players I remember vividly PhONEday.  For those under the age of forty you will have lived in blissful ignorance that changes to almost every phone number in the UK were made on the 16th April 1995. Whilst Take That’s Back for Good was riding high in the charts, Dumb and Dumber was the big hit at the cinema and Blackburn Rovers were on the verge of an unlikely Premier League title, those of us working in the Telecoms industry were busy preparing for an extra “1” to be added to all telephone numbers after the first “0”.  For some cities, such as Leeds, Sheffield, Bristol and Nottingham they would get a whole new numbering system.

Nobody knew what would happen at midnight on the 15th April – would phone systems explode, would the stock market collapse with brokers who traded still by phone unable to place deals, would the emergency services system fall over?  In the end, there was no more than a ripple of impact.  Years of preparation plus a thorough public awareness campaign ensured that everyone was aware of the change and four years later another change saw the use of “020” numbers plus the consolidation of all mobile numbers to start “07”.

That was in the year 2000 which of course gave us the second biggest event that caused mass panic in technology terms – the Y2K or Millennium bug.  Rumours spread that the world would end at midnight on 31st December 1999 when our computer systems simply wouldn’t be able to compute when the date clocks moved to 2000.  By luck I had moved into the IT sector at this point and spent my time trying to advise clients about the potential impacts and some practical steps they could take.  But many organisations sold on fear – fear that organisations computer systems would fail, fear that websites would stop working, fear that the Internet, then in its early commercial days, would crash.  Many people made a lot of money selling services that simply weren’t needed.

Next May we have another compelling event, one that almost certainly requires every business in Europe to take steps to protect themselves as well as their customer’s data and one where the ramifications of non-compliance to be severely damaging.  The General Data Protection Regulation (GDPR) may have slipped under the radar of some businesses but when it comes into effect on the 25th May 2018 there are new accountability obligations, stringer rights and restrictions on international data flows.

Businesses that operate in Europe or hold data on European customers must be compliant within the next 13 months – after that date they could be hit with some huge penalties for any mishandling of data, including being the victims of cyber threats such as data theft.

Cybercrime today is unfortunately a growing business, with more sophisticated means being deployed by the criminals to exploit not only insecure systems but also the most fallible link in any organisation – employees. Social engineering is an almost daily threat for some organisations – the criminals only have to be lucky once to have potentially devastating effects.

The GDPR brings together many of the existing laws on how organisations need to handle any data breaches.  Any loss of data will have to be reported within 72 hours which means organisations must have the technology and processes in place to both detect and respond swiftly to any breach.  Failure to comply with the regulations could see firms fined up to €20 million or up to 4% of their global turnover.

This isn’t something that companies should schedule to start planning for next year, it is something that they need to be on top of now.  A colleague who works in data security said to me this week, “There’s two types of company – one who has had a data breach and one who doesn’t yet know they’ve had a data breach”.  Whilst this statement may hold water for the corporate and enterprise market, it is an interesting guiding principal that every organisation should consider.  The financial penalties for even the most sustained and malicious cyber-attacks could be terminal for some businesses come what May (2018).

The good news is there is enough information available to understand the legislation and how organisations can start planning for the new regulations.  In addition, many organisations are starting to develop software that monitors networks for potential breaches that today may be slipping under the radar including signs of potential social engineering attacks and data misuse (including industrial espionage) – a small price to pay for ensuring that customer data is kept safe and sound.

We will hear more and more about the GDPR over the coming months and I urge everyone not to ignore it.  Whilst in our post-Brexit mood we may scoff at anything that mentions the words “European Union”, it is highly important that in this context we address the issues at hand and do not leave everything to the last minute where the cost of compliance could be prohibitive.

Scam of the Week – Vouching for the real deal

Last week one of my friends shared a post on Facebook last week about a promotion being run by Asda to celebrate their “Anniversary” whereby they would give every shopper a voucher for £85.  One of the world’s largest retailers was preparing to reward the loyalty of every customer with such a generous offer was unprecedented.  This simply looked too good to be true.  Alas, it was.

Unfortunately, by the time news would have reached HQ in Leeds, hundreds, if not thousands of Social Media users may be become the latest victim of a relatively simple scam.

There was no anniversary – Asda were formed on the 19th February 1949, nor was the domain name that appeared on the Facebook ad registered by Asda.  It was registered just a few hours prior to appearing on Facebook but not through their corporate domain name management partner, MarkMonitor but through by a Naveen Patnayak who lives at 1130 in Mumbai – quite an ambiguous address in a city of 18.4 million people.

Fortunately, the website is no longer live and I haven’t seen the advert appear since on my Facebook timeline but the damage may have already been done.  With 1.86 billion active users on the world’s biggest Social Media network, hundreds of thousands of users will have faith that the adverts that appear on their timeline are genuine – after all there’s no health warning that appears to suggest anything but the truth should be appearing on people’s timelines.  In this instance, the brand targeted has millions of customers, many of whom will also be avid users of Social Media.  By the very nature of the two worlds combining, some people will have been duped by this advert.

It is unclear what the motives of the domain name registration were – perhaps to harvest personal details of duped shoppers to sell onto others, to grab financial details that may be used for nefarious purposes or to even spread malware to those who found their way onto the website.

Unfortunately, it only took a small amount of brain power to find a suitable domain name – Asda will have a robust domain name portfolio that balances opportunity and risk but they can’t be expected to have registered all relevant keywords in the 1,000 + Top Level Domains that exist today.  Likewise, major retail registrars will have processes in place that check domain name registrations for abusive keywords but “asdaoffers” may not scan in a way that would flag this was intellectual property abuse.

We all have to be part of the solution and not the problem.  Simply questioning what may seem to be a bonus or a bargain takes seconds but it could save you financially in the long run.